research-article

Free access

A measurement study of google play

Authors:

Nicolas Viennot,

Jason NiehAuthors Info & Claims

SIGMETRICS '14: The 2014 ACM international conference on Measurement and modeling of computer systems

Pages 221 - 233

https://doi.org/10.1145/2591971.2592003

Published: 16 June 2014 Publication History

Abstract

Although millions of users download and use third-party Android applications from the Google Play store, little information is known on an aggregated level about these applications. We have built PlayDrone, the first scalable Google Play store crawler, and used it to index and analyze over 1,100,000 applications in the Google Play store on a daily basis, the largest such index of Android applications. PlayDrone leverages various hacking techniques to circumvent Google's roadblocks for indexing Google Play store content, and makes proprietary application sources available, including source code for over 880,000 free applications. We demonstrate the usefulness of PlayDrone in decompiling and analyzing application content by exploring four previously unaddressed issues: the characterization of Google Play application content at large scale and its evolution over time, library usage in applications and its impact on application portability, duplicative application content in Google Play, and the ineffectiveness of OAuth and related service authentication mechanisms resulting in malicious users being able to easily gain unauthorized access to user data and resources on Amazon Web Services and Facebook.

Formats available

You can view the full content in the following formats:

References

[1]

Amazon Web Services. IAM Best Practices, May 2010. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html.

[2]

Amazon Web Services. Creating Temporary Security Credentials for Mobile Apps Using Identity Providers. AWS Security Token Service, June 2011. http://docs. aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html.

[3]

Amazon Web Services. Authenticating Users of AWS Mobile Applications with a Token Vending Machine. AWS Identity and Access Management, July 2013. http://aws.amazon.com/articles/4611615499399490.

[4]

Amazon Web Services. Getting Started with the AWS SDK for Android. AWS SDK for Android, Sept. 2013. http://docs.aws.amazon.com/mobile/sdkforandroid/gsg/Welcome.html.

[5]

AndroLib. http://www.androlib.com.

[6]

AppBrain. http://www.appbrain.com.

[7]

R. Bala. Amazon Is Downloading Apps From Google Play and Inspecting Them. Y Combinator Hacker News, Mar. 2014. https://news.ycombinator.com/item?id=7491272.

[8]

Capistrano. http://capistranorb.com.

[9]

Chef. http://www.getchef.com.

[10]

R. Chirgwin. Amazon Is Decompiling Our Apps in Security Gaff Hunt, Says Dev. The Register, Mar. 2014. http://www.theregister.co.uk/2014/03/31/dev_lashes_out_at_amazon_for_decompiling_his_app.

[11]

B.-G. Chun, S. Ihm, P. Maniatis, M. Naik, and A. Patti. CloneCloud: Elastic Execution Between Mobile Device and Cloud. In Proceedings of the 6th European Conference on Computer systems (EuroSys 2011), Apr. 2011.

Digital Library

[12]

J. Crussell, C. Gibler, and H. Chen. Attack of the Clones: Detecting Cloned Applications on Android Markets. In Proceedings of 17th European Symposium on Research in Computer Security (ESORICS 2012), Sept. 2012.

[13]

J. Crussell, C. Gibler, and H. Chen. AnDarwin: Scalable Detection of Semantically Similar Android Applications. In Proceedings of 18th European Symposium on Research in Computer Security (ESORICS 2013), Sept. 2013.

[14]

Death by Captcha. http://www.deathbycaptcha.com.

[15]

A. Desnos. Androguard. https://code.google.com/p/androguard.

[16]

dex2jar. http://code.google.com/p/dex2jar.

[17]

N. d'Heureuse, F. Huici, M. Arumaithurai, M. Ahmed, K. Papagiannaki, and S. Niccolini. What's App?: A Wide-Scale Measurement Study of Smart Phone Markets. Mobile Computing and Communications Review, 16(2):16--27, Apr. 2012.

Digital Library

[18]

Elasticsearch. http://www.elasticsearch.org.

[19]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, Aug. 2011.

Digital Library

[20]

Facebook. Login Security. https://developers.facebook.com/docs/facebook-login/security.

[21]

A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A Survey of Mobile Malware in the Wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2011), July 2011.

Digital Library

[22]

C. Gibler, R. Stevens, J. Crussell, H. Chen, H. Zang, and H. Choi. AdRob: Examining the Landscape and Impact of Android Application Plagiarism. In Proceedings of the 11th International Conference on Mobile Systems, Applications, and Services (MobiSys 2013), June 2013.

Digital Library

[23]

E. Girault. Google Play Unofficial Python API. https://github.com/egirault/googleplay-api.

[24]

M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys 2012), June 2012.

Digital Library

[25]

B. Gruver. smali/baksmali assembler/disassembler. https://code.google.com/p/smali.

[26]

S. Hanna, L. Huang, E. X. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2012), July 2012.

Digital Library

[27]

M. Kotadia. AWS Admits Scanning Android App in Secret Key Hunt. iTnews, Apr. 2014. http://www.itnews.com.au/News/381432, aws-admits-scanning-android-app-in-secret-key-hunt. aspx.

[28]

MixRank. http://www.mixrank.com.

[29]

R. Mogull. My $500 Cloud Security Screwup-UPDATED. Securosis Blog, Jan. 2014. https://securosis.com/blog/my-500-cloud-security-screwup.

[30]

M. Perham. Sidekiq. http://sidekiq.org.

[31]

C. K. Roy, J. R. Cordy, and R. Koschke. Comparison and Evaluation of Code Clone Detection Techniques and Tools: A Qualitative Approach. Sci. Comput. Program., 74(7):470--495, May 2009.

Digital Library

[32]

S. Sanflippo. Redis. http://redis.io.

[33]

A. Thiel. Android-market-api. https://code.google.com/p/android-market-api.

[34]

C. Tumbleson. Android-apktool. http://code.google.com/p/android-apktool.

[35]

Twitter. Implementing the Twitter OAuth flow in Android. https://dev.twitter.com/docs/implementing-twitter-oauth-flow-android.

[36]

N. Viennot. Java Library for JD-Core. https://github.com/nviennot/jd-core-java.

[37]

N. Viennot. PlayDrone sources. https://github.com/nviennot/google-play-crawler.

[38]

C. Warren. Google Play Hits 1 Million Apps. Mashable, July 2013. http://mashable.com/2013/07/24/google-play-1-million.

[39]

Y. Zhang, G. Huang, X. Liu, W. Zhang, H. Mei, and S. Yang. Refactoring Android Java Code for On-Demand Computation Offloading. In Proceedings of the 27th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2012), Oct. 2012.

Digital Library

[40]

W. Zhou, Y. Zhou, M. C. Grace, X. Jiang, and S. Zou. Fast, Scalable Detection of "Piggybacked" Mobile Applications. In Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy (CODASPY 2013), Feb. 2013.

Digital Library

[41]

W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting Repackaged Smartphone Applications in Third-party Android Marketplaces. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (CODASPY 2012), Feb. 2012.

Digital Library

[42]

Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP 12), May 2012.

Digital Library

[43]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS 2012), Feb. 2012.

Cited By

Yang SLin RGuo JBai GLuo YDiao W(2026)Investigating cross-market android apps: Security, protection, and componentsEmpirical Software Engineering10.1007/s10664-025-10754-731:3Online publication date: 19-Jan-2026
https://doi.org/10.1007/s10664-025-10754-7
Darwish RAbdelsalam MKhorsandroo S(2025)Deep learning based XIoT malware analysisJournal of Network and Computer Applications10.1016/j.jnca.2025.104258242:COnline publication date: 18-Dec-2025
https://dl.acm.org/doi/10.1016/j.jnca.2025.104258
Chen ZShao Z(2025)RCHDroid: Transparent Runtime Change Handling for Android AppsACM Transactions on Architecture and Code Optimization10.1145/377443022:4(1-23)Online publication date: 16-Dec-2025
https://dl.acm.org/doi/10.1145/3774430
Show More Cited By

Index Terms

Recommendations

Comments

View Table of Contents